The following Fedora EPEL 7 Security updates need testing: Age URL 1051 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087 dokuwiki-0-0.24.20140929c.el7 814 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f mcollective-2.8.4-1.el7 396 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-04bc9dd81d libbsd-0.8.3-1.el7 294 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d241156dfe mod_cluster-1.3.3-10.el7 125 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-e27758bd23 libmspack-0.6-0.1.alpha.el7 63 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-e64eeb6ece nagios-4.3.4-5.el7 26 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8d57a2487b monit-5.25.1-1.el7 13 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-28611aa33f python-bottle-0.12.13-1.el7 13 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-885bb5ec89 poco-1.6.1-3.el7 12 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-73ee944e65 rootsh-1.5.3-17.el7 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-73feedd767 wordpress-4.9.2-1.el7 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-11ba3bced1 clamav-0.99.2-18.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing GraphicsMagick-1.3.28-1.el7 distribution-gpg-keys-1.18-1.el7 fedfind-4.0.0-1.el7 freeciv-2.5.10-1.el7 freshmaker-0.0.10-1.el7 knot-2.6.4-1.el7 mock-core-configs-28.2-1.el7 module-build-service-1.6.3-1.el7 modulemd-1.3.3-1.el7 moodle-3.1.10-1.el7 mozilla-https-everywhere-2018.1.11-1.el7 python-fdb-1.8-1.el7 python3-docker-2.6.1-1.el7 radcli-1.2.9-1.el7 standard-test-roles-2.6-2.el7 transmission-2.92-12.el7 Details about builds: ================================================================================ GraphicsMagick-1.3.28-1.el7 (FEDORA-EPEL-2018-ce6223e559) An ImageMagick fork, offering faster image generation and better quality -------------------------------------------------------------------------------- Update Information: Latest stable release, includes many bug and security fixes. See also http://www.graphicsmagick.org/NEWS.html#january-20-2017 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1473729 - CVE-2017-11102 GraphicsMagick: Input validation failure in ReadOneJNGImage function may cause denial of service [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1473729 [ 2 ] Bug #1473741 - CVE-2017-11139 GraphicsMagick: double free vulnerabilities in the [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1473741 [ 3 ] Bug #1473752 - CVE-2017-11140 GraphicsMagick: Resource exhaustion denial of service in ReadJPEGImage function [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1473752 [ 4 ] Bug #1475454 - CVE-2017-11637 GraphicsMagick: NULL pointer dereference in WritePCLImage() in coders/pcl.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1475454 [ 5 ] Bug #1475458 - CVE-2017-11636 GraphicsMagick: Heap based buffer over-write in WriteRGBImage in coders/rgb.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1475458 [ 6 ] Bug #1475490 - CVE-2017-11641 GraphicsMagick: Memory Leak in the PersistCache in magick/pixel_cache.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1475490 [ 7 ] Bug #1475498 - CVE-2017-11643 GraphicsMagick: Heap based over-write in WriteCMYKImagefunction in coders/cmyk.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1475498 [ 8 ] Bug #1484483 - CVE-2017-13147 GraphicsMagick: Allocation failure in ReadMNGImage function in coders/png.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1484483 [ 9 ] Bug #1512038 - CVE-2017-16669 GraphicsMagick: Heap buffer over-write in AcquireCacheNexus function in magick/pixel_cache.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1512038 [ 10 ] Bug #1512049 - CVE-2017-16353 GraphicsMagick: ImageMagick, GraphicsMagick: memory information disclosure in DescribeImage function in magick/describe.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1512049 [ 11 ] Bug #1528037 - CVE-2017-17782 GraphicsMagick: heap-based buffer over-read in ReadOneJNGImage function in coders/png.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1528037 [ 12 ] Bug #1528051 - CVE-2017-17783 GraphicsMagick: heap based buffer over-read in ReadPALMImage in coders/palm.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1528051 [ 13 ] Bug #1529535 - CVE-2017-17915 GraphicsMagick: Memory leak in the function ReadMNGImage in coders/png.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1529535 [ 14 ] Bug #1529557 - CVE-2017-17913 GraphicsMagick: stack-based buffer over-read in WriteWEBPImage in coders/webp.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1529557 [ 15 ] Bug #1529580 - CVE-2017-17912 GraphicsMagick: GraphicsMagick: heap-based buffer over-read in ReadNewsProfile in coders/tiff.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1529580 [ 16 ] Bug #1536951 - GraphicsMagick: 2018-5685 GraphicsMagick: Infinite loop and application hang in coders/bmp.c:ReadBMPImage [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1536951 -------------------------------------------------------------------------------- ================================================================================ distribution-gpg-keys-1.18-1.el7 (FEDORA-EPEL-2018-5d1486ae23) GPG keys of various Linux distributions -------------------------------------------------------------------------------- Update Information: - updated Copr keys - add UnitedRPMs - add remi 2018 key -------------------------------------------------------------------------------- References: [ 1 ] Bug #1536804 - distribution-gpg-keys-1.18-1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1536804 -------------------------------------------------------------------------------- ================================================================================ fedfind-4.0.0-1.el7 (FEDORA-EPEL-2018-a292395242) Fedora compose and image finder -------------------------------------------------------------------------------- Update Information: This update provides a new major release of fedfind. It is going out to stable releases as fedfind is used quite extensively in Fedora QA infrastructure, and we prefer to keep all those deployments on the latest code. The new release also provides some significant enhancements in correctness checking that will be useful in these cases. See [the upstream changelog](https://pagure.io/fedora- qa/fedfind/blob/5713f806517a358a5761aaaff9cfd276f8aeb862/f/CHANGELOG.md) for more details on the specific changes in this release. Most uses of fedfind (both CLI and as a Python library) should continue to work unchanged, or with only minimal changes (mainly because `get_release` can raise some different exceptions now). -------------------------------------------------------------------------------- ================================================================================ freeciv-2.5.10-1.el7 (FEDORA-EPEL-2018-9092e4f094) A multi-player strategy game -------------------------------------------------------------------------------- Update Information: 2.5.10 -------------------------------------------------------------------------------- ================================================================================ freshmaker-0.0.10-1.el7 (FEDORA-EPEL-2018-688fb40278) Freshmaker is a service scheduling rebuilds of artifacts as new content becomes available. -------------------------------------------------------------------------------- Update Information: New version 0.0.10. -------------------------------------------------------------------------------- ================================================================================ knot-2.6.4-1.el7 (FEDORA-EPEL-2018-d0d50ca69d) High-performance authoritative DNS server -------------------------------------------------------------------------------- Update Information: Knot DNS 2.6.4 (2018-01-02) =========================== Features: ---------- - Module synthrecord allows multiple 'network' specification - New CSK handling support in keymgr Improvements: ------------- - Allowed configuration for infinite zsk lifetime - Increased performance and security of the module synthrecord - Signing changeset is stored into journal even if 'zonefile-load' is whole Bugfixes: --------- - Unintentional zone re-sign during reload if empty NSEC3 salt - Inconsistent zone names in journald structured logs - Malformed outgoing transfer for big zone with TSIG - Some minor DNSSEC-related issues Knot DNS 2.6.3 (2017-11-24) =========================== Bugfixes: --------- - Wrong detection of signing scheme rollover Knot DNS 2.6.2 (2017-11-23) =========================== Features: --------- - CSK algorithm rollover and (KSK, ZSK) <-> CSK rollover support Improvements: ------------- - Allowed explicit configuration for infinite ksk lifetime - Proper error messages instead of unclear error codes in server log - Better support for old compilers Bugfixes: --------- - Unexpected reply for DS query with an owner below a delegation point - Old dependencies in the pkg-config file -------------------------------------------------------------------------------- ================================================================================ mock-core-configs-28.2-1.el7 (FEDORA-EPEL-2018-d64efdfb20) Mock core config files basic chroots -------------------------------------------------------------------------------- Update Information: - add fedora 28 configs - remove failovermethod=priority for repos which use dnf - remove fedora 24 configs - set skip_if_unavailable=False for all repos -------------------------------------------------------------------------------- ================================================================================ module-build-service-1.6.3-1.el7 (FEDORA-EPEL-2018-e4e74e197f) The Module Build Service for Modularity -------------------------------------------------------------------------------- Update Information: Changes ------- * Fix a bug that caused a module build to fail when it was cancelled during the module-build-macros phase and then resumed * Reset the "state_reason" field on all components after a module build is resumed * Cancel new repo tasks on module build failures in Koji * Use available Koji repos during local builds instead of building them locally * Add an incrementing prefix to module components' releases * Add a "context" field on component and module releases in Koji for uniqueness for when Module Stream Expansion is implemented * Remove urlgrabber as a dependency * Set an explicit log level on our per-build file handler * Set the timeout on git operations to 60 seconds to help alleviate client tooling timeouts * Improve the efficiency of the stale module builds poller * Fix situations where module-build-macros builds in Koji but fails in MBS and the build is resumed -------------------------------------------------------------------------------- References: [ 1 ] Bug #1487065 - module-build-service-1.3.26-3.fc26: local build always disables tests https://bugzilla.redhat.com/show_bug.cgi?id=1487065 [ 2 ] Bug #1514631 - module-build-service-1.5.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1514631 -------------------------------------------------------------------------------- ================================================================================ modulemd-1.3.3-1.el7 (FEDORA-EPEL-2018-701ce7a3d5) Module metadata manipulation library -------------------------------------------------------------------------------- Update Information: Latest upstream. -------------------------------------------------------------------------------- ================================================================================ moodle-3.1.10-1.el7 (FEDORA-EPEL-2018-9eb18da891) A Course Management System -------------------------------------------------------------------------------- Update Information: CVE-2018-1042/CVE-2018-1043/CVE-2018-1044/CVE-2018-1045 fixes. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1537469 - CVE-2018-1042 CVE-2018-1043 CVE-2018-1044 CVE-2018-1045 moodle: Four security issues fixed in the latest release [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1537469 [ 2 ] Bug #1537470 - CVE-2018-1042 CVE-2018-1043 CVE-2018-1044 CVE-2018-1045 moodle: Four security issues fixed in the latest release [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1537470 -------------------------------------------------------------------------------- ================================================================================ mozilla-https-everywhere-2018.1.11-1.el7 (FEDORA-EPEL-2018-c9726806a3) HTTPS enforcement extension for Mozilla Firefox -------------------------------------------------------------------------------- Update Information: * More ruleset updates -------------------------------------------------------------------------------- ================================================================================ python-fdb-1.8-1.el7 (FEDORA-EPEL-2018-e752d34c99) Firebird RDBMS bindings for Python -------------------------------------------------------------------------------- Update Information: New upstream 1.8 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1525032 - '403 SSL is required' while trying to download Source0 with spectool https://bugzilla.redhat.com/show_bug.cgi?id=1525032 -------------------------------------------------------------------------------- ================================================================================ python3-docker-2.6.1-1.el7 (FEDORA-EPEL-2018-b5d2d52b39) A Python library for the Docker Engine API -------------------------------------------------------------------------------- Update Information: - Initial EPEL7 package -------------------------------------------------------------------------------- ================================================================================ radcli-1.2.9-1.el7 (FEDORA-EPEL-2018-4a215d352d) RADIUS protocol client library -------------------------------------------------------------------------------- Update Information: New upstream release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1266675 - radcli-1.2.9 is available https://bugzilla.redhat.com/show_bug.cgi?id=1266675 -------------------------------------------------------------------------------- ================================================================================ standard-test-roles-2.6-2.el7 (FEDORA-EPEL-2018-fa163f5366) Standard Test Interface Ansible roles -------------------------------------------------------------------------------- Update Information: Build with the latest merged PRs. -------------------------------------------------------------------------------- ================================================================================ transmission-2.92-12.el7 (FEDORA-EPEL-2018-c0d5d190b0) A lightweight GTK+ BitTorrent client -------------------------------------------------------------------------------- Update Information: CVE patch fix. ---- Security fix for CVE-2018-5702 (Mitigate dns rebinding attacks against daemon) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1534061 - CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack https://bugzilla.redhat.com/show_bug.cgi?id=1534061 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx